Business Continuity Consultants: Read this Before You Hire One
If you don’t know the answer to the following questions, then it’s probably time to speak to some experienced business continuity consultants ASAP:
- Will your company survive a major data loss?
- How much downtime could your business endure before recovery becomes next to impossible?
- What are the exact failsafes you need to implement to avert a total meltdown?
- Is my business in compliance with government regulations and laws for business continuity and data recovery (BCDR)?
Hiring a consultant is a smart move for companies that are new to continuity planning or who are reevaluating their existing strategies. However, there are many types of advisors out there, so it’s important to compare your options carefully and find the right fit for your business’s needs.
In this post, we address three questions that will improve your company’s readiness for a successful outcome from engaging with a business continuity consultant:
- What are the biggest reasons to consider BCDR consultants?
- Is your company prepared to work with a consultant?
- How can you differentiate consultants and what should you look for?
Let’s start with the most obvious question:
Why Use Business Continuity Consultants at All?
Every business faces a disaster at some point, whether it be technology failure, destruction from Mother Nature, malware, or even just Bob in Accounting who accidentally deletes some important spreadsheets. And now more than ever, with cybersecurity threats like ransomware, many companies are bombarded with disaster scenarios on a regular basis.
Planning for Disasters
How you plan for such disasters will ultimately determine two things:
- How vulnerable your company is
- How quickly it can recover if/when disaster strikes
Roughly 40 to 60 percent of small businesses do not survive a major disaster, according to statistics from the U.S. Small Business Administration. But a shockingly large number of these closures could be prevented if only they’d implemented the right planning.
The problem is: business continuity is complex. A lot of factors play into a company’s ability to thwart—and recover from—a critical event. Business continuity consultants can make the planning easier. They can provide insight into the company’s unique disaster-planning needs and also help to implement the right safeguards, such as technology, recovery procedures, testing protocols, and even employee training that will contribute to your company’s long-term resiliency.
Finding Answers to Your Toughest BCDR Questions
Business continuity consultants can help provide the answers to your questions about disaster preparedness. Depending on their specialty, a consultancy will help identify the company’s vulnerabilities and create an action plan that reduces risk and speeds up your recovery time.
- What goes in the business continuity plan (BCP)?
Some consultants can help you write your BCP—the foundation of your continuity planning—ensuring that you have a single comprehensive document that outlines the company’s readiness for a disaster.
- What is the Business Continuity Management (BCM) Lifecycle?
The BCM Lifecycle outlines the process that a consultant will follow to ensure that the plan you invest in is comprehensive, responsive to your unique business issues, and has mechanisms to keep the plan relevant as your business changes and new technologies and threats enter the market. The steps in the process are:
- Step 1 – Identify: Risk Assessment
- Step 2 – Analyze: Business Impact Analysis
- Step 3 – Create: Strategy and Plan Development
- Step 4 – Measure: Test, Train, Maintain
The purpose of the methodology is to leave no stone unturned in identifying risks and gain stakeholder agreement on response mechanisms so that when you face a disaster situation, your company can respond in a coordinated and determined manner. (indent paragraph)
- How do we perform a risk assessment?
A risk assessment is one of the most critical components of BC planning. It identifies the company’s unique risks, prioritized by likelihood. A good consultant can help uncover serious risks that your in-house teams may be overlooking.
- How do we perform a business impact analysis?
The business impact analysis is an extension of the risk assessment report. It tries to predict how each disaster risk will impact your business in terms of downtime, revenue loss, costs of idle workers, recovery expenses, impact on future revenue or the impact on brand perception and company reputation resulting from a loss of customer trust. An expert can help you perform this critical analysis to determine the true impact of each disaster and where the biggest continuity gaps need to be filled.
- What is our RTO or RPO?
A recovery time objective (RTO) is the amount of acceptable downtime that a business system or service can experience before the consequences become disastrous. Similarly, a recovery point objective (RPO) is the acceptable maximum duration of data loss after a backup restore. Both figures typically require a series of calculations and the coordination of different departments within your company. An experienced consultant can help you determine these projections. These projections, along with the findings from the business impact analysis, will be used in the Strategy and Plan to Development phase to develop the failsafe policies to enable your business to respond to disaster occurrences.
- Which technologies are imperative for continuity?
Data backups, cloud storage, virus/malware software, DDoS protection, redundant communications lines – these are just a few of the many technologies to consider. A BC advisor will assist you in weeding through the numerous options available in each of these areas.
- Help! What else do we need to know?!
Peace of mind is invaluable when it comes to business continuity. A consultant can identify the numerous other solutions and procedural steps you may not even be thinking about including: training programs, secondary business locations, medical response planning, legal and regulatory compliance, emergency contact lists, calling trees … the list goes on and on. If you’re just getting started on your BCP, or you’re not confident in your existing recovery planning, then it’s probably a good idea to speak to a consultant.
Is my company ready?
Business continuity consultants will tell you that it’s not unusual for them to receive requests for proposals from companies that haven’t done the necessary internal prep work to produce successful outcomes in the consultant selection process and program implementation. Given the significant dollar and personnel investment that your company will make in a BCDR program, designating key roles and responsibilities up front will pay dividends in your contract negotiations and plan deployment.
Subject matter expert
Appointing a member of your team to have the primary responsibility for interfacing with the consultant is the first step to a successful relationship. This point person, or program manager, will take the lead in defining your company’s requirements, communicating those needs to consultants competing for your business, and evaluating the proposals received. Consultants say that one of the early sources of friction in a relationship occurs when they deliver a proposal against a set of requirements that turn out to have been poorly conceived in the first place. When this occurs, disappointment over the disconnect turns into a lot of finger pointing right off the bat. Once the relationship is up and running, the point person will have to have sufficient depth of knowledge to judge whether the consultant’s analysis and recommendations match the needs of the business.
You should assess whether there are any gaps in the program manager’s knowledge and skills. If there are deficiencies, there are abundant resources available that are both paid and free that offer education, document templates, and tools from training organizations, government agencies, and industry leaders.
To complement the operational lead, you need to name an executive sponsor to provide the necessary corporate leadership. This person must have sufficient clout to advocate for necessary funding, motivate cross-departmental cooperation during the analysis phases, and mobilize the company when a disaster strikes. Visibility during a crisis is crucial, so you need a personality capable of stepping into this high-pressure role.
How do I find a good fit?
Type of Consultants
Remember that there are many types of business continuity consultants. For example, some might be technology providers; others can be software providers, continuity plan writers, emergency preparedness agencies, financial firms and so on. Some consultants specialize in one area; others may offer a 360-degree approach. Some consultancies are one-person firms; others are larger firms with dozens of employees on staff.
Evaluate your options carefully to ensure you’re choosing the appropriate type of service for your company. For example, if you’re already confident in your continuity planning, but you need to upgrade your data protection systems, then you can focus your search specifically on technology providers.
What to Look for in Business Continuity Consultants
Regardless of what type of expert you’re searching for, you need to make sure you’re dealing with a professional who can help you achieve your company’s specific BCDR objectives.
Here are a few things to look for to ensure it’s a good fit.
- Experience: This is one of the most important factors affecting the quality of service and guidance you receive. Always confirm how much experience a consultant has. A lack of experience could result in costly mistakes in your BCDR deployments – and you’ll realize it at the worst possible time: when disaster strikes. Stick with professionals who have an extensive track record. A few things to look for:
- Years in business
- Number of previous clients
- How many current active clients
- Client similarity: Sure, the consultant has 15 years under his belt, but if he only has experience in one industry—different from your own—then it’s probably not a good fit. Look for advisors whose clients look similar to your own company, in terms of:
- Company size
- IT infrastructure
- Continuity objectives
- Knowledge of new technologies and/or best practices: Business continuity is constantly evolving. New technologies can provide better protection against disasters and virtually eliminate downtime. Your consultants could have a lot of experience, but if they’re recommending outdated systems, then you’re leaving your company at risk. Do your homework; research their recommended implementations and make sure their advice is current before you put it into practice.
- Intestinal fortitude: While you are looking for a cooperative working relationship with your consultant, you also want to select a person who has enough backbone to take a stand and challenge existing ways of thinking about your businesses and perceived levels of preparedness for the unanticipated. One way to test their mettle is to ask them to speak about how they have previously dealt with resistance to their planning recommendations. A consultant’s strong resolve will also be an important factor in gaining employee cooperation during each step of the BCM lifecycle and when it comes time for presentations to management to obtain corporate buy-in to plan adoption.
- Ratings, reviews and referrals: Treat your prospective consultant with the same evaluation standards as you would a technology investment or even a job applicant. Take the time to research their history and look for online reviews from previous clients. When possible: reach out to those clients with specific questions. Ask the consultant if they’re willing to provide referrals that you can contact directly. A few things to look for as you evaluate responses from referrals:
- Whether expectations were met or exceeded
- Unexpected obstacles
- How the consultant’s implementations and processes held up during a real disaster situation (indent)
- Initial customer service: You can learn so much about a consultant during those first few weeks when you’re still evaluating their services. If you’re constantly reaching their voicemail and not hearing back, then you should be concerned. A lack of good customer service at this stage—especially at a time when they should be courting you! —is a good sign that things won’t be much better after you hire them. Ask yourself:
- How responsive are they to your phone calls and emails?
- How willing are they to visit your company in person?
- How thoroughly are they answering your questions? Do you feel rushed?
- Are you dealing directly with the consultant or an assistant?
- Executive presence: It’s important that you have confidence in the consultant’s ability to interact effectively with your executive team. This factor comes into play in the consultant’s role as a mentor to your executives on the art of crisis leadership. Successful consultants are able to educate executives on strategies and tactics for decision-making and communicating when the company is in the midst of a disaster. In a chaotic situation, strong leadership will inspire each member of the team to step up and fulfill their assigned roles and in the recovery plan and play a pivotal role in re-motivating the organization once the crisis has passed.
- Certification: It’s not critical or required that your BC consultant be certified. However, certification can show that the advisor has made a serious investment in their education, training and skill. DRI International, a well-known provider of BCDR training, says that its certifications “acknowledge an individual’s effort to achieve a professional level of competency in the industry.” If you compared two identical consultants, each with identical experience, but one was certified and one wasn’t, which would you choose? If certification is important to you, consider these additional factors when evaluating your options:
- Where is the certification from?
- How reputable is the company that provided the certification?
- How recent is the certification? Has it been maintained?
- “Results”: The tricky thing about continuity planning is that, unlike other types of business investments, it’s not always measured in ROI. However, when put to the test, good planning can save businesses a lot of money—and can literally save the business itself. When speaking to prospective consultants, ask for use cases that demonstrate real-world scenarios in which their guidance has led to measurable results, such as:
- Cost savings
- Reduced risk
- Faster recovery
- Minimized impact from a disaster
Final thoughts on finding a good fit
Sometimes, after you’ve evaluated all the factors above, you’ll need to make a subjective decision based on interactions with the consultant so far. In a nutshell, they need to “gel” with you and your team.
Depending on the services you’ll be needing, you will probably be interacting with the advisor on a regular basis over an extended period of time through the complete business continuity management lifecycle. They’ll need to get to know your operations, your people, your processes. If you’re getting a weird vibe from your prospective consultant, or you fear they won’t be a good fit for the company, then it may be time to look elsewhere.
If you need help finding the right business continuity consultant for your business, contact our experts at (646) 395-1170 or email success@invenioIT.com.